I am a bit confused on how they were able to access these devices if they stated the network is not allowing routing? I think I may've missed that part in the article.
nice writeup. might be a bit careful though, as far as i know port scanning might be technically not allowed by your campus's it policy... nonetheless great job!
Ex Vaddio PM here. Like 5 years ago all our firmware defaulted to requiring non-default passwords on setup. We also created a free windows application that can mass upgrade firmware and change auth if defaults were used. We tried!
Saw the Vaddio logo and had to chime in. Gotta stick up for my Minnesota devs.
Causing a 15 minute outage campuswide is not clever at all. A DOS attack was not the goal and it drew unwanted attention. If I was responding to this outage there would have been consequences - not for doing it, but for getting caught. Perhaps a 200 KB/s rate limit on every device associated with the user for escalating timeout periods if the unclever behavior remained attributable.
> At some point, I hit a threshold where the DNS server could no longer keep up and broke. As I later found out, this caused a ~15 minute campus wide outage for managed computers as no computer could make the DNS lookup in order to mount its network drive. IT politely told me to stop spamming the DNS server after this, so I did.
> How’d IT know it was me? I yapped about it for two weeks!
You know, I think maybe the first part is how they found out about you, rather than that they just happened to follow you on social media :)
The PTR record enumeration trick is often fun to try on hotel and other public networks.
The problem here is that many places segment their guest network away from the internal one, but they use the same DNS server for both, so guests can still resolve internal hostnames and perform rev DNS queries.
I usually like to run a traceroute or two (to some arbitrary external IP like 1.1.1.1 or 8.8.8.8) whenever I connect to a new network. As traceroute does rev dns by default, if you see the internal hostname for your default gateway (and possibly other hosts inbetween you and the wider internet), those IPs are likely good starting points for your rev DNS shenanigans.
I also love PTR record numeration using broadcast mDNS/Bonjour. Instead of relying on a central server, you send out the same sort of DNS query but as a broadcast packet:
dig -x 192.168.1.1 @224.0.0.251 -p 5353
This gets you the .local address of a device. Of course, fewer things support mDNS. But it will often come up with interesting details. On Apple devices, you can also retrieve the model number via mDNS.
It’s university. It’s the time to be irresponsible and immature. When I worked managing serious high performance computing systems at a university and my job relied on the network. When the network failed, we would just go to the bar and have a couple drinks. It’s really not that big a deal.
Even running a port scanner is enough to face disciplinary action at many US colleges. Taking down the network for the entire school for 15 minutes surely deserved more consequences than were doled out here. I'd encourage the author to focus their efforts and talents on something more constructive.
Why would they deserve “more consequences”? Academia isn’t the real world. It’s a place where people can learn how to interact with the world as an adult. People should be encouraged to experiment (within reason) and if there is no actual bad intent, consequences should focus on learning rather than punishment.
...where are, at a trivial minimum, the VLANs!?!? Or even outright separate physical architecture, but at the very least even the absolute cheapest prosumer Omada/UniFi/Mikrotik/whatever switches and WAPs made for the last decade+ will give you some simple segmentation for free. I don't understand, apparently they had cameras and other devices in a single flat network space that any rando BYD could cruise around in? Like, sure, absolutely change default passwords, better provisioning, consider what info DNS or other side channels (like certificate transparency if you use a public CA and don't use a wildcard) might reveal, use internal VPNs even for trusted devices to access certain stuff, etc etc. But it still feels like simply isolating security/surveillance and other restricted use devices should sorta be the 101 first layer of the onion and if that wasn't done yeesh.
If this was written 20-25 years ago sure, but in 2026? Wild.
The 554 RTSP restream thing is something I see a lot in badly configured NVR setups. Many NVRs are configured to restream the cameras they watch, the idea being that only the NVR watches the camera's feeds directly to reduce the CPU load on the relatively weak CCTV cameras - the beefy NVR server can restream to many more clients instead of them all talking to the camera individually.
There are so many of these tools that simply re-stream the RTSP CCTV feed with no support for using any sort of authentication though - the expectation is you configure firewall rules appropriately so only the "correct" devices can view the feed on the open port.
Reminds me of the time in college I realized that the university network's dynamic DNS configuration was wrong and that if I named my Linux laptop with the same hostname of the mail server, I became the mail server when I connected to the network. (I used an ethernet jack in the cafeteria and a random PCMCIA network card I found in the help desk stash so they wouldn't trace the problem back to my school laptop. The IT department already hated me for unrelated reasons.)
23 comments
[ 4.7 ms ] story [ 41.5 ms ] threadSaw the Vaddio logo and had to chime in. Gotta stick up for my Minnesota devs.
> How’d IT know it was me? I yapped about it for two weeks!
You know, I think maybe the first part is how they found out about you, rather than that they just happened to follow you on social media :)
The problem here is that many places segment their guest network away from the internal one, but they use the same DNS server for both, so guests can still resolve internal hostnames and perform rev DNS queries.
I usually like to run a traceroute or two (to some arbitrary external IP like 1.1.1.1 or 8.8.8.8) whenever I connect to a new network. As traceroute does rev dns by default, if you see the internal hostname for your default gateway (and possibly other hosts inbetween you and the wider internet), those IPs are likely good starting points for your rev DNS shenanigans.
what, the university using default passwords on freaking cameras? agreed!
And eventually the knowledge gets out anyway and someone who doesn't care does more damage that's harder to clean up.
> I used ai for a single rust scope issue that google wasn’t giving me clear answers for.
Nowadays, this needs to be highlighted. Congrats
Why?! ;_;
If this was written 20-25 years ago sure, but in 2026? Wild.
There are so many of these tools that simply re-stream the RTSP CCTV feed with no support for using any sort of authentication though - the expectation is you configure firewall rules appropriately so only the "correct" devices can view the feed on the open port.